Executive Summary

1 - 1

Vulnerability Summary

2 - 1

Address 010.001.001.108

3 - 1

General

3 - 2

Audits

3 - 3

Machine

3 - 4

Port

3 - 5

Services

3 - 6

Shares

3 - 7

Users

3 - 8

Glossary of Terms

4 - 1

 

Executive Summary

1 - 1

On 3:52:20 PM Retina performed a vulnerability assessment of 1 system[s] in order to determine the security posture of those systems and to outline fixes for any found vulnerabilities. The systems audited were: 010.001.001.108 Retina's goals in this attack were as follows: Perform network scan to determine all systems and services within your scan range. Analysis of those systems and services and perform information gathering techniques. Attack and exploit any known holes in the server software and examine the likelihood of being vulnerable to those attacks. Generate information on how to fix all found vulnerabilities. Create security report for your organization. Your network had 5 low risk vulnerabilities, 10 medium risk vulnerabilities, and 6 high risk vulnerabilities. There were 1 host[s] that were vulnerable to high risk vulnerabilities and 1 host[s] that were vulnerable to medium risk vulnerabilities. Also on average each system on your network was vulnerable to 6.00 high risk vulnerabilities, 10.00 medium risk vulnerabilities and 5.00 low risk vulnerabilities. The overall security of the systems under review was deemed rather insecure. Your organizations network is completely vulnerable. It is imperative that you take immediate actions in fixing the security stance of your organizations network.

 

Vulnerability Summary

2 - 1

Introduction
This report was generated on 11/20/2003 3:54:59 PM. Network security scan was performed using the default security policy. Security audits in this report are not conclusive and to be used only as reference, physical security to the network should be examined also. All audits outlined in this report where performed using Retina - The Network Security Scanner, Version 4.9.56

 

Audits
Audits in Retina the Network Security Scanner are categorized into different sections. The sections are based on the type of services you might be running on your servers and / or workstations.

Total Vulnerabilities By Risk Level The following graph illustrates the total number of vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Accounts Audit The following graph illustrates the total number of Accounts vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By CGI Scripts Audit The following graph illustrates the total number of CGI Scripts vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By CHAM Audit The following graph illustrates the total number of CHAM vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Database Audit The following graph illustrates the total number of Database vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By DNS Services Audit The following graph illustrates the total number of DNS Services vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By DoS Audit The following graph illustrates the total number of DoS vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By FTP Servers Audit The following graph illustrates the total number of FTP Servers vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By IP Services Audit The following graph illustrates the total number of IP Services vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Mail Servers Audit The following graph illustrates the total number of Mail Servers vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Miscellaneous Audit The following graph illustrates the total number of Miscellaneous vulnerabilities across all machines divided by risk level.

 

Total Vulnerabilities By NetBIOS Audit The following graph illustrates the total number of NetBIOS vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Registry Audit The following graph illustrates the total number of Registry vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Remote Access Audit The following graph illustrates the total number of Remote Access vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Rpc Services Audit The following graph illustrates the total number of Rpc Services vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Service Control Audit The following graph illustrates the total number of Service Control vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By SNMP Servers Audit The following graph illustrates the total number of SNMP Servers vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By SSH Servers Audit The following graph illustrates the total number of SSH Servers vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Web Servers Audit The following graph illustrates the total number of Web Servers vulnerabilities across all machines divided by risk level.

Total Vulnerabilities By Wireless Audit The following graph illustrates the total number of Wireless vulnerabilities across all machines divided by risk level.

 

Address 010.001.001.108

3 - 1

CGI Scripts: TCP:80 - CGI - fpcount.exe
Risk Level: High
Description: A buffer overflow vulnerability in older versions of fpcount.exe, can be be remotely exploited to execute arbitrary commands.
How To Fix:
Fpcount.exe is not needed to operate frontpage. Remove the file from your system to mitigate this vulnerability.
URL1: Microsoft Frontpage  (http://microsoft.com/frontpage/)
CVE: CAN-1999-1376

NetBIOS: Null Session
Risk Level: High
Description: A Null Session occurs when an attacker sends a blank username and blank password to try to connect to the IPC$ (Inter Process Communication) pipe. By creating a Null session to IPC$ an attacker is then able to gain a list of user names, shares, etc...
Note: If you have run this Retina scan with Administrator level access to your network then you will always be able to create a null session and therefore this is a false positive and not a vulnerability.
How To Fix:
Add the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Name: RestrictAnonymous Type: REG_DWORD Value: 1.
CVE: CVE-2000-1200
BugtraqID: 494

Web Servers: TCP:80 - IIS 5.0 IPP ISAPI Host overflow
Risk Level: High
Description: Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code on unpatched Windows 2000 IIS 5.0 web servers.
How To Fix:
A patch is available from Microsoft to fix this vulnerability. We also recommend removing the .printer ISAPI filter if it is not needed.
URL1: Microsoft - IPP Hotfix  (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321)
URL2: eEye Digital Security Advisory  (http://www.eeye.com/html/Research/Advisories/AD20010501.html)
CVE: CVE-2001-0241
BugtraqID: 2674

Web Servers: TCP:80 - IIS4-5 escape characters decode vulnerability
Risk Level: High
Description: Due to a flaw in the handling of CGI filename program requests, it is possible for a remote user to execute arbitrary commands on an Internet Information Server or Personal Web Server host. The problem exists in the decoding of escape characters in the URI of the HTTP request itself.
How To Fix:
Microsoft has released a patch to eliminate this flaw.
URL1: Microsoft Patch.  (http://support.microsoft.com/support/kb/articles/Q295/5/34.ASP)
CVE: CVE-2001-0333
BugtraqID: 2708

Web Servers: TCP:80 - IIS45 IDA remote system overflow
Risk Level: High
Description: This vulnerability allows any malicous attacker to gain remote system level access on unpatched systems. This is the same attack that was used for CodeRed so its important to patch immediately.
How To Fix:
Microsoft has released a hotfix for this vulnerability.
URL1: Microsoft Advisory.  (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp)
URL2: eEye Digital Security Advisory  (http://www.eeye.com/html/Research/Advisories/AD20010618.html)
URL3: eEye Analysis of CodeRed  (http://www.eeye.com/html/Research/Advisories/AL20010717.html)
CVE: CVE-2001-0500
BugtraqID: 2880

Web Servers: TCP:80 - NT IIS Unicode Vulnerability
Risk Level: High
Description: Microsoft IIS (Internet Information Services) 4.0 and 5.0 contain a vulnerability in how they parse file requests that contain Unicode characters. It is possible for an attacker to remotely execute commands against vulnerable servers with an access level of IUSR_MACHINE. This is the vulnerability the nimda wormed used to propagate.
How To Fix:
Install the patch provided by Microsoft.
URL1: Microsoft Security Bulletin  (http://www.microsoft.com/technet/security/bulletin/MS00-078.asp)
CVE: CVE-2000-0884
BugtraqID: 1806

Accounts: Administrator - Password Does Not Expire
Risk Level: Medium
Description: If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password. It is recommended that you make all users passwords expire unless the user account is used for a system service.
How To Fix:
Remove the password never expires option from the user account.
1. Open User Manager.
2. Select the user from the list.
3. Select Properties from the User menu.
4. Uncheck "Password Never Expires."
5. Click "Ok".
CVE: CAN-1999-0535

Accounts: IUSR_VM2KSERVER - Password Does Not Expire
Risk Level: Medium
Description: If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password. It is recommended that you make all users passwords expire unless the user account is used for a system service.
How To Fix:
Remove the password never expires option from the user account.
1. Open User Manager.
2. Select the user from the list.
3. Select Properties from the User menu.
4. Uncheck "Password Never Expires."
5. Click "Ok".
CVE: CAN-1999-0535

Accounts: IWAM_VM2KSERVER - Password Does Not Expire
Risk Level: Medium
Description: If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password. It is recommended that you make all users passwords expire unless the user account is used for a system service.
How To Fix:
Remove the password never expires option from the user account.
1. Open User Manager.
2. Select the user from the list.
3. Select Properties from the User menu.
4. Uncheck "Password Never Expires."
5. Click "Ok".
CVE: CAN-1999-0535

Accounts: TsInternetUser - Password Does Not Expire
Risk Level: Medium
Description: If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password. It is recommended that you make all users passwords expire unless the user account is used for a system service.
How To Fix:
Remove the password never expires option from the user account.
1. Open User Manager.
2. Select the user from the list.
3. Select Properties from the User menu.
4. Uncheck "Password Never Expires."
5. Click "Ok".
CVE: CAN-1999-0535

Accounts: Max Password Age
Risk Level: Medium
Description: The maximum password age is the maximum number of days until a user's account password expires. It is recommended that users change their password once a month.
How To Fix:
For Windows NT 4.0:
Set the maximum password age to 30 days.
1. Open User Manager.
2. Select Account from the Policies menu.
3. Click Expires In.
4. Enter the maximum days (Recommended 30 or less).
For Windows 2000:
Open Administrative tools, local security policy.
Now navigate to Account Policy, Password Policy.
From the menu on the right you can now reconfigure your settings.
CVE: CAN-1999-0535

Accounts: Min Password Length
Risk Level: Medium
Description: The minimum password length is the least amount of characters a user account password can be. It is recommended that account passwords are greater than 10 characters.
How To Fix:
Set the minimum password length to 10 characters.
1. Open User Manager.
2. Select Account from the Policies menu.
3. Click At Least.
4. Enter the minimum password length (recommended is 10 characters or more).
CVE: CAN-1999-0535

Web Servers: TCP:80 - IDA Real Path Attack
Risk Level: Medium
Description: By sending a malformed request to the .IDA ISAPI filter, it is possible for an attacker to remotely learn where your web server files are stored. I.E. http://www.example.com/invalidfilename.ida will return c:\inetpub\wwwroot\invalidfilename.ida not found.
How To Fix:
Open up Internet Services Manager.
Right click properties for the web you want to protect.
Click the "Home Directory" tab.
Click the "Configuration" button.
Select the .IDA ISAPI filter and click the "Edit" button.
Now check the box "Check that file exists."

CVE: GENERIC-MAP-NOMATCH

Web Servers: TCP:80 - IDQ Real Path Attack
Risk Level: Medium
Description: By sending a malformed request to the .IDQ ISAPI filter, it is possible for an attacker to remotely learn where your web server files are stored. I.E. http://www.example.com/invalidfilename.idq will return c:\inetpub\wwwroot\invalidfilename.idq not found.
How To Fix:
Open up Internet Services Manager.
Right click properties for the web you want to protect.
Click the "Home Directory" tab.
Click the "Configuration" button.
Select the .IDQ ISAPI filter and click the "Edit" button.
Now check the box "Check that file exists."

CVE: GENERIC-MAP-NOMATCH

Web Servers: TCP:80 - IIS - ISM Source Fragment Disclosure
Risk Level: Medium
Description: By sending a carefully crafted URL to IIS4 and II5 an attacker can view various fragments of asp files. This technique can be used to discover database username and passwords.
How To Fix:
Microsoft has made patches available that will correct this problem.
URL1: Microsoft Advisory  (http://www.microsoft.com/technet/security/bulletin/ms00-044.asp)
CVE: CVE-2000-0630
BugtraqID: 1488

Web Servers: TCP:80 - IIS5 Translate Source Disclosure
Risk Level: Medium
Description: An attacker can view the source code of your ASP files by sending a carefully crafted URL containing the Translate: header field. This can lead to an attacker learning about passwords and various other data that can lead to total system compromise.
How To Fix:
Microsoft has released a patch for this problem.
URL1: Microsoft patch Q256888_W2K_SP1_x86_en  (http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q256888&)
CVE: CVE-2000-0778
BugtraqID: 1578

Accounts: IUSR_VM2KSERVER - Cannot Change Password
Risk Level: Low
Description: It is recommended that a machine be set up so that a user has the ability to change their password; otherwise password changes will occur less frequently. However, if this account is one that is used by a system service the ability to change passwords is not something that is required.
How To Fix:
Allow the user to change their password by doing the following:
1. Open User Manager.
2. Select the user from the list box.
3. Select properties from the User menu.
4. Uncheck "User Cannot Change Password."
5. Click "OK".
CVE: GENERIC-MAP-NOMATCH

Accounts: IWAM_VM2KSERVER - Cannot Change Password
Risk Level: Low
Description: It is recommended that a machine be set up so that a user has the ability to change their password; otherwise password changes will occur less frequently. However, if this account is one that is used by a system service the ability to change passwords is not something that is required.
How To Fix:
Allow the user to change their password by doing the following:
1. Open User Manager.
2. Select the user from the list box.
3. Select properties from the User menu.
4. Uncheck "User Cannot Change Password."
5. Click "OK".
CVE: GENERIC-MAP-NOMATCH

Accounts: TsInternetUser - Cannot Change Password
Risk Level: Low
Description: It is recommended that a machine be set up so that a user has the ability to change their password; otherwise password changes will occur less frequently. However, if this account is one that is used by a system service the ability to change passwords is not something that is required.
How To Fix:
Allow the user to change their password by doing the following:
1. Open User Manager.
2. Select the user from the list box.
3. Select properties from the User menu.
4. Uncheck "User Cannot Change Password."
5. Click "OK".
CVE: GENERIC-MAP-NOMATCH

Accounts: Min Password Age
Risk Level: Low
Description: The minimum password age is the least amount of days before a user can change their password again. If there is no minimum password age set user passwords can be changed too often and users could begin to forget passwords or start reusing old passwords.
How To Fix:
For Windows NT 4.0:
Set the minimum password age to 2 days.
1. Open User Manager.
2. Select Account from the Policies menu.
3. Click Allow Changes In.
4. Enter the minimum days (Recommended 2 or less).
For Windows 2000: For Windows 2000: Open Administrative tools, local security policy.
Now navigate to Account Policy, Password Policy.
From the menu on the right you can now reconfigure your settings.
CVE: CAN-1999-0535

Accounts: Password History
Risk Level: Low
Description: Password History is the number of passwords Windows NT will remember so that users cannot use the same password twice. It is recommended that you set the history length to 4.
How To Fix:
Set the Password History to 4.
1. Open User Manager.
2. Select Account from the Policies menu.
3. Click "Remember Passwords".
4. Enter the amount (Recommended 4 or greater).
CVE: CAN-1999-0535

Accounts: TsInternetUser - User Never Logged On
Risk Level: Information
Description: It is suggested that you review this user account. If it is not needed or was not created by an administrator of your network, it is suggested that you disable or delete it.
How To Fix:
To delete the account:
1. Open User Manager
2. Select the account to delete
3. Press the "Delete" key
4. Click "Ok"
To Disable the account:
1. Open User Manager
2. Select the account to disable
3. Select Properties from the User menu
4. Check "Account Disabled"
5. Click "Ok"
CVE: GENERIC-MAP-NOMATCH

Registry: No Remote Registry Access Available
Risk Level: Information
Description: This host does not allow remote registry access. This could be due to a lack of administrative rights on the host, or the remote registry access is not available.
Retina relies on this remote access for many crucial audits.
How To Fix:
Ensure the remote system has remote registry capabilities on and that you have administrative rights on the system.

Glossary

4 - 1

DoS Attack: A Denial of Service (DoS) attack is a remote attack against a servers TCP/IP stack or services. DoS attacks can saturate a servers bandwidth, saturate all available connections for a particular service, or even crash a server.

Exploit: A script or program that takes advantage of vulnerabilities in services or programs to allow an attacker to gain unauthorized or elevated system access.

Host: A node on a network. Usually refers to a computer or device on a network which both initiates and accepts network connections.

IP Address: The 32-bit address defined by the Internet Protocol in STD 5, RFC 791. It is usually represented in dotted decimal notation. Any device connected to the Internet that used TCP/IP is assigned an IP Address. An IP Address can be likened to a home address in that no two are alike.

Netbios: Network Basic Input Output System. The standard interface to networks on IBM PC and compatible networks.

Ping: A program used to test reachability of destination nodes by sending them an ICMP echo request and waiting for a reply.

Port: A port in the network sense is the pathway that a computer uses to transmit and receive data. As an example, Web Servers typically listen for requests on port 80.

Registry: The internal system configuration that a user can customize to alter his computing environment on the Microsoft Windows Platform. The registry is organized in a hierarchical structure of subtrees and their respective keys, subkeys, and values that apply to those keys and subkeys

Service: A service is a program running on a remote machine that in one way or another provides a service to users. For example, when you visit a website the remote server displays a web page via its web server service.

Share: A folder, set of files, or even a hard drive partition set up on a machine to allow access to other users. Shares are frequently set up with incorrect file permissions which could allow an attacker to gain access to this data.

Sniffer: frequently attackers will place a sniffer program on a compromised machine. The sole purpose of a sniffer is to collect data being transmitted on the network in clear-text including usernames and passwords.

Subnet: A portion of a network, which may be a physically independent network segment, which shares a network address with other portions of the network and is distinguished by a subnet number.

Vulnerability: A weakness or a flaw in a program or service that can allow an attacker to gain unauthorized or elevated system access.

END OF REPORT